dcrat | 5c63933553e1452d634beb2b295333e4db5742e571322d823648d4e5c94b2828

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fa6bf4f199a845715d9f5807a98d9ab.exe
Size

885KB
MD5

7fa6bf4f199a845715d9f5807a98d9ab
SHA1

25652948f2c3d400323873cb41bbc6b2b609d96a
SHA256

06198c97d0afdc17232dc3ffc8d5b23b5b97d82cf01bcdf8ef1236f08812e702
SHA512

99a56b7ddd2ff25d220e25c2ae1b0b92d8ee68313b54a23a937587e2677a9a776b8e55593c9b9dbd3b01c7365d006bba81066c747398afa6f23a53f9530b276c
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5852	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5824	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5560	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5496	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5596	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5460	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5468	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5216	4860	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	4860	schtasks.exe	87

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral22/memory/1112-1-0x0000000000E60000-0x0000000000F44000-memory.dmp	dcrat
behavioral22/files/0x0008000000024258-21.dat	dcrat
behavioral22/files/0x000a000000024286-106.dat	dcrat
behavioral22/files/0x000a000000024273-169.dat	dcrat

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	7fa6bf4f199a845715d9f5807a98d9ab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	7fa6bf4f199a845715d9f5807a98d9ab.exe

Executes dropped EXE 15 IoCs

pid	Process
3620	spoolsv.exe
4532	spoolsv.exe
636	spoolsv.exe
1596	spoolsv.exe
5328	spoolsv.exe
4652	spoolsv.exe
688	spoolsv.exe
3360	spoolsv.exe
324	spoolsv.exe
5816	spoolsv.exe
2500	spoolsv.exe
4984	spoolsv.exe
5544	spoolsv.exe
4700	spoolsv.exe
4784	spoolsv.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\de-DE\csrss.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\RCX7758.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\edge_BITS_4520_1919513328\RCX77E8.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX7958.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files\edge_BITS_4664_1657696765\RuntimeBroker.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files\Windows Media Player\de-DE\886983d96e3d3e	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files\7-Zip\Lang\smss.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX7876.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX7877.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\edge_BITS_4664_1657696765\RuntimeBroker.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files\7-Zip\Lang\69ddcba757bf72	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files (x86)\Windows Mail\5940a34987c991	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\edge_BITS_4664_1657696765\RCX7736.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX7928.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\RCX7747.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files\edge_BITS_4664_1657696765\9e8d7a4ca61bd9	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files\edge_BITS_4520_1919513328\RuntimeBroker.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files\edge_BITS_4520_1919513328\9e8d7a4ca61bd9	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files (x86)\Windows Mail\dllhost.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\edge_BITS_4664_1657696765\RCX7735.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\edge_BITS_4520_1919513328\RCX77D8.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\LanguageOverlayCache\TextInputHost.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	7fa6bf4f199a845715d9f5807a98d9ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	7fa6bf4f199a845715d9f5807a98d9ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3056	schtasks.exe
4080	schtasks.exe
324	schtasks.exe
4208	schtasks.exe
3096	schtasks.exe
3152	schtasks.exe
5216	schtasks.exe
4032	schtasks.exe
704	schtasks.exe
5596	schtasks.exe
2592	schtasks.exe
3392	schtasks.exe
5460	schtasks.exe
3412	schtasks.exe
2616	schtasks.exe
2352	schtasks.exe
116	schtasks.exe
2412	schtasks.exe
4788	schtasks.exe
1080	schtasks.exe
4140	schtasks.exe
1724	schtasks.exe
5560	schtasks.exe
4216	schtasks.exe
5852	schtasks.exe
5824	schtasks.exe
5496	schtasks.exe
4312	schtasks.exe
4916	schtasks.exe
436	schtasks.exe
2216	schtasks.exe
2808	schtasks.exe
1628	schtasks.exe
3920	schtasks.exe
5468	schtasks.exe
4540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1112	7fa6bf4f199a845715d9f5807a98d9ab.exe
2796	7fa6bf4f199a845715d9f5807a98d9ab.exe
2796	7fa6bf4f199a845715d9f5807a98d9ab.exe
2796	7fa6bf4f199a845715d9f5807a98d9ab.exe
2796	7fa6bf4f199a845715d9f5807a98d9ab.exe
2796	7fa6bf4f199a845715d9f5807a98d9ab.exe
2796	7fa6bf4f199a845715d9f5807a98d9ab.exe
2796	7fa6bf4f199a845715d9f5807a98d9ab.exe
2796	7fa6bf4f199a845715d9f5807a98d9ab.exe
2796	7fa6bf4f199a845715d9f5807a98d9ab.exe
2796	7fa6bf4f199a845715d9f5807a98d9ab.exe
2796	7fa6bf4f199a845715d9f5807a98d9ab.exe
3620	spoolsv.exe
4532	spoolsv.exe
636	spoolsv.exe
1596	spoolsv.exe
5328	spoolsv.exe
5328	spoolsv.exe
4652	spoolsv.exe
4652	spoolsv.exe
688	spoolsv.exe
3360	spoolsv.exe
324	spoolsv.exe
5816	spoolsv.exe
2500	spoolsv.exe
4984	spoolsv.exe
4700	spoolsv.exe
4784	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	7fa6bf4f199a845715d9f5807a98d9ab.exe
Token: SeDebugPrivilege	2796	7fa6bf4f199a845715d9f5807a98d9ab.exe
Token: SeDebugPrivilege	3620	spoolsv.exe
Token: SeDebugPrivilege	4532	spoolsv.exe
Token: SeDebugPrivilege	636	spoolsv.exe
Token: SeDebugPrivilege	1596	spoolsv.exe
Token: SeDebugPrivilege	5328	spoolsv.exe
Token: SeDebugPrivilege	4652	spoolsv.exe
Token: SeDebugPrivilege	688	spoolsv.exe
Token: SeDebugPrivilege	3360	spoolsv.exe
Token: SeDebugPrivilege	324	spoolsv.exe
Token: SeDebugPrivilege	5816	spoolsv.exe
Token: SeDebugPrivilege	2500	spoolsv.exe
Token: SeDebugPrivilege	4984	spoolsv.exe
Token: SeDebugPrivilege	4700	spoolsv.exe
Token: SeDebugPrivilege	4784	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 2392	1112	7fa6bf4f199a845715d9f5807a98d9ab.exe	94
PID 1112 wrote to memory of 2392	1112	7fa6bf4f199a845715d9f5807a98d9ab.exe	94
PID 2392 wrote to memory of 6096	2392	cmd.exe	96
PID 2392 wrote to memory of 6096	2392	cmd.exe	96
PID 2392 wrote to memory of 2796	2392	cmd.exe	103
PID 2392 wrote to memory of 2796	2392	cmd.exe	103
PID 2796 wrote to memory of 5292	2796	7fa6bf4f199a845715d9f5807a98d9ab.exe	136
PID 2796 wrote to memory of 5292	2796	7fa6bf4f199a845715d9f5807a98d9ab.exe	136
PID 5292 wrote to memory of 4516	5292	cmd.exe	138
PID 5292 wrote to memory of 4516	5292	cmd.exe	138
PID 5292 wrote to memory of 3620	5292	cmd.exe	144
PID 5292 wrote to memory of 3620	5292	cmd.exe	144
PID 3620 wrote to memory of 3816	3620	spoolsv.exe	146
PID 3620 wrote to memory of 3816	3620	spoolsv.exe	146
PID 3620 wrote to memory of 5536	3620	spoolsv.exe	147
PID 3620 wrote to memory of 5536	3620	spoolsv.exe	147
PID 3816 wrote to memory of 4532	3816	WScript.exe	148
PID 3816 wrote to memory of 4532	3816	WScript.exe	148
PID 4532 wrote to memory of 2720	4532	spoolsv.exe	150
PID 4532 wrote to memory of 2720	4532	spoolsv.exe	150
PID 4532 wrote to memory of 5248	4532	spoolsv.exe	151
PID 4532 wrote to memory of 5248	4532	spoolsv.exe	151
PID 2720 wrote to memory of 636	2720	WScript.exe	156
PID 2720 wrote to memory of 636	2720	WScript.exe	156
PID 636 wrote to memory of 4384	636	spoolsv.exe	158
PID 636 wrote to memory of 4384	636	spoolsv.exe	158
PID 636 wrote to memory of 5800	636	spoolsv.exe	159
PID 636 wrote to memory of 5800	636	spoolsv.exe	159
PID 4384 wrote to memory of 1596	4384	WScript.exe	160
PID 4384 wrote to memory of 1596	4384	WScript.exe	160
PID 1596 wrote to memory of 4468	1596	spoolsv.exe	162
PID 1596 wrote to memory of 4468	1596	spoolsv.exe	162
PID 1596 wrote to memory of 2924	1596	spoolsv.exe	163
PID 1596 wrote to memory of 2924	1596	spoolsv.exe	163
PID 4468 wrote to memory of 5328	4468	WScript.exe	164
PID 4468 wrote to memory of 5328	4468	WScript.exe	164
PID 5328 wrote to memory of 6116	5328	spoolsv.exe	166
PID 5328 wrote to memory of 6116	5328	spoolsv.exe	166
PID 5328 wrote to memory of 3936	5328	spoolsv.exe	167
PID 5328 wrote to memory of 3936	5328	spoolsv.exe	167
PID 6116 wrote to memory of 4652	6116	WScript.exe	168
PID 6116 wrote to memory of 4652	6116	WScript.exe	168
PID 4652 wrote to memory of 2324	4652	spoolsv.exe	170
PID 4652 wrote to memory of 2324	4652	spoolsv.exe	170
PID 4652 wrote to memory of 4400	4652	spoolsv.exe	171
PID 4652 wrote to memory of 4400	4652	spoolsv.exe	171
PID 2324 wrote to memory of 688	2324	WScript.exe	172
PID 2324 wrote to memory of 688	2324	WScript.exe	172
PID 688 wrote to memory of 5192	688	spoolsv.exe	174
PID 688 wrote to memory of 5192	688	spoolsv.exe	174
PID 688 wrote to memory of 2704	688	spoolsv.exe	175
PID 688 wrote to memory of 2704	688	spoolsv.exe	175
PID 5192 wrote to memory of 3360	5192	WScript.exe	179
PID 5192 wrote to memory of 3360	5192	WScript.exe	179
PID 3360 wrote to memory of 4540	3360	spoolsv.exe	181
PID 3360 wrote to memory of 4540	3360	spoolsv.exe	181
PID 3360 wrote to memory of 3384	3360	spoolsv.exe	182
PID 3360 wrote to memory of 3384	3360	spoolsv.exe	182
PID 4540 wrote to memory of 324	4540	WScript.exe	183
PID 4540 wrote to memory of 324	4540	WScript.exe	183
PID 324 wrote to memory of 636	324	spoolsv.exe	185
PID 324 wrote to memory of 636	324	spoolsv.exe	185
PID 324 wrote to memory of 3628	324	spoolsv.exe	186
PID 324 wrote to memory of 3628	324	spoolsv.exe	186

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7fa6bf4f199a845715d9f5807a98d9ab.exe
"C:\Users\Admin\AppData\Local\Temp\7fa6bf4f199a845715d9f5807a98d9ab.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2jap7Gn3A.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:6096
- - C:\Users\Admin\AppData\Local\Temp\7fa6bf4f199a845715d9f5807a98d9ab.exe
    "C:\Users\Admin\AppData\Local\Temp\7fa6bf4f199a845715d9f5807a98d9ab.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vf1Vq2YPmL.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5292
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4516
    - - C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        "C:\34c553de294c1d56d0a800105b\spoolsv.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3620
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d61a4ba8-26f8-41ac-a8a9-0d087e4fa873.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b8dde06-a084-4c87-919f-d9da637663df.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\919014b4-e233-4015-9e58-be0010e38651.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0faa20d3-17c0-42b7-a9e3-a98139dad5b4.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7f59127-0006-4506-9e69-f5e24aa4fe3c.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:6116
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8510b0b2-d58a-4a8c-a123-48c1013609e1.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75073b07-32b8-4fbf-bfeb-ffc86185fbd9.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:5192
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47a05be9-2ca0-4f49-b489-f10ea984a058.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9beacc35-5c6d-4839-81db-125aab7a72c2.vbs"
        22⤵
        
        PID:636
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2241b739-335e-431a-9866-e8cf73bd51e6.vbs"
        24⤵
        
        PID:1788
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91bddfd0-d2e8-4343-86a5-4e1275ff5786.vbs"
        26⤵
        
        PID:5528
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed62b88c-605b-4043-a81e-52e05edd2c8e.vbs"
        28⤵
        
        PID:6116
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9c5630f-e636-4df4-a795-5b11ddcb6749.vbs"
        30⤵
        
        PID:4448
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c386e77-9008-4b11-a851-b75d4b6dcf25.vbs"
        32⤵
        
        PID:4180
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        
        C:\34c553de294c1d56d0a800105b\spoolsv.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0cc01af-6c25-49b9-8aae-541fa303340a.vbs"
        34⤵
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bfdc596-3359-45b4-99d0-99e7ff5fca6d.vbs"
        34⤵
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6466493d-400f-4d2a-b350-5c12dadcd0f0.vbs"
        32⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d647a5a-b5c1-4012-ad9a-0425c8bf53e4.vbs"
        30⤵
        
        PID:5364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df1730c2-1b48-449c-a304-a96311924afd.vbs"
        28⤵
        
        PID:3656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c792dfc7-e723-479f-a7a7-9e147cbdbe79.vbs"
        26⤵
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bdc885a-1690-4937-bcb4-52322794864d.vbs"
        24⤵
        
        PID:3472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1703ee9c-587a-47c6-b71e-4f477d339db6.vbs"
        22⤵
        
        PID:3628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\089c0eec-fd24-4b63-abd6-b0e82fd77a01.vbs"
        20⤵
        
        PID:3384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48cff293-a00d-4fca-8a68-b79d9a2bb3b9.vbs"
        18⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7782804a-65be-4cdd-a827-9b301a50b220.vbs"
        16⤵
        
        PID:4400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdecd9af-01a5-437e-b188-090e26dcd125.vbs"
        14⤵
        
        PID:3936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf94244d-dbc0-48b1-9e22-8d9ad467007d.vbs"
        12⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f909a47-f0ab-4b62-8e1a-0c25171728e2.vbs"
        10⤵
        
        PID:5800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e77a2060-cb4e-4782-8c42-3cb1c616793f.vbs"
        8⤵
        
        PID:5248
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91441785-6a0e-4c42-bc5d-18f54c8b6f05.vbs"
        6⤵
        
        PID:5536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4664_1657696765\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4664_1657696765\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4664_1657696765\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4520_1919513328\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4520_1919513328\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4520_1919513328\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7fa6bf4f199a845715d9f5807a98d9ab7" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\Local\Temp\7fa6bf4f199a845715d9f5807a98d9ab.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7fa6bf4f199a845715d9f5807a98d9ab" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Temp\7fa6bf4f199a845715d9f5807a98d9ab.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7fa6bf4f199a845715d9f5807a98d9ab7" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Local\Temp\7fa6bf4f199a845715d9f5807a98d9ab.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\34c553de294c1d56d0a800105b\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\34c553de294c1d56d0a800105b\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2f3e0199fccb3f72e8a39924edc6a781\Registry.exe

Filesize
885KB

MD5
0464e5901ee67678ccee5133f470833c

SHA1
b2c5c250a1011de704c2e4638f5dd8195842df39

SHA256
0dec0ce5ca45113375accbe3e1abf425ebc5716c157d3efa0e6e139f835c2e09

SHA512
ce4580af3fcd481762c89d61fd3d0e0fb7166718601ee87a543108f500482ed410894aac960659eb2fe5ecb0a608e9de0ebdb20df73027506fd6819d6539a013

Download Submit
C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe

Filesize
885KB

MD5
7fa6bf4f199a845715d9f5807a98d9ab

SHA1
25652948f2c3d400323873cb41bbc6b2b609d96a

SHA256
06198c97d0afdc17232dc3ffc8d5b23b5b97d82cf01bcdf8ef1236f08812e702

SHA512
99a56b7ddd2ff25d220e25c2ae1b0b92d8ee68313b54a23a937587e2677a9a776b8e55593c9b9dbd3b01c7365d006bba81066c747398afa6f23a53f9530b276c

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
885KB

MD5
1432686f607a936cc81fc07d31368ada

SHA1
6b99edb33b6baf5b18762a3e2eb30059967711d0

SHA256
821b5514fd6516670c286b679c6212247721fb5f741e108b49369f92e5b14a27

SHA512
54a98b9b42c07b136e00166e959dd2ccd6841f57a3cec8ea051d85b25da5756c878cb51a77339d0f7f67986344c84d4876d27a876f768693177a69760a18efed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7fa6bf4f199a845715d9f5807a98d9ab.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b8dde06-a084-4c87-919f-d9da637663df.vbs

Filesize
717B

MD5
220077cc56c814dc14c2bffda3e5e018

SHA1
bdac08c2227854182e65d5d06410297247e390cf

SHA256
04b464fd46fde02f00d0dd42383e02c32b4e354b580457a2cba1c139cd7ef320

SHA512
2cb6fc6bae5b0e6ef08d8f8530260feb6814ee8a3057ebe30a13b3a033ca2633049b88b846ee5a561a8f24b3c5dbc44b1a0cee64e0f694b28ca6c355a57c0708

Download Submit
C:\Users\Admin\AppData\Local\Temp\0faa20d3-17c0-42b7-a9e3-a98139dad5b4.vbs

Filesize
717B

MD5
b1259cc86602a6bba36d7c7f8edf82fc

SHA1
921ab5d8c83fcfcb2b5b46071b7cb10b5a0558e0

SHA256
070eda92459996302e226a7b7f2faf1543b7e674018b8e795ea6f0c4ba106638

SHA512
70b90a02f2f08e50475d15bc4da4d4f0a8691a1df31e26b88984d715df76e5a0a340b7b6a7ef714e4db4aeb0862bb321eb1a8337739d35232a5a0d0eecdaf786

Download Submit
C:\Users\Admin\AppData\Local\Temp\2241b739-335e-431a-9866-e8cf73bd51e6.vbs

Filesize
717B

MD5
3f8a9ef510f9ca673dfc9b9d8afe0807

SHA1
3abd001daa478a994b11298a5a388cb41bba0c93

SHA256
64117f35b65c13c18aac5a2a3c55d09a00034441a1cf71d18fa285f956e86639

SHA512
089ab59866624dc102275a934da7b7216fa15d89e368a2f0097730011862a8bfa75d658bdae0fc4f4b1d6030f4e19b12f98bc1e0ea3f81cf06469b47ce20273b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c386e77-9008-4b11-a851-b75d4b6dcf25.vbs

Filesize
717B

MD5
6b32dbc56e4ebd1031e0a9901cf5689e

SHA1
326142473de734768817ae1aa3daed5efc967739

SHA256
71789bd053d5b68a231195c581b9cce5a89293334d21c2d9437590fb8e2e9cfd

SHA512
bd6d9abdd44396f3cf46a78eebdfab62aeb8fc4758aa58a8ec7b28d72c3cd936f78e28ef0dbb14742b9737bba10f87b6bc02c3dd7385fcdfffb3ebe5b8e0ef92

Download Submit
C:\Users\Admin\AppData\Local\Temp\47a05be9-2ca0-4f49-b489-f10ea984a058.vbs

Filesize
717B

MD5
a012191745e996833bd054257a7d366a

SHA1
d055a7a8379cd162b9edfa7fdacae46dce73e13f

SHA256
98f32a6ac08e0c6db83e78a43f23cbc746035465bf68855f8b0872237ba56cc8

SHA512
15cfc6144d127d84d4b15f42bc00994b776752ab89ab5bdb0a108b4904f7056830184d13e19935f57f1e469e07c0230181c06a5e508c7afa17041adc58f0a4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\75073b07-32b8-4fbf-bfeb-ffc86185fbd9.vbs

Filesize
716B

MD5
6b7ca7f7996e27160f4cd08806df3aef

SHA1
f2fb195cc871e787cb4cc4c8728930b54a3b7ed1

SHA256
5a2f9f334a28d23667a178bbabfd22d6a9189f5c296350325ef18bb4691c7d89

SHA512
ad4c96a7525b3e2c03195099df8fc899d696defc81a8fc5abfd63adcf2e02986d87ad7b79c554e441cbe81f129a1b3ab43b278a45dff2cb5e6b5df3b914935a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8510b0b2-d58a-4a8c-a123-48c1013609e1.vbs

Filesize
717B

MD5
00e54ba92034b5a7996e82e7f084456b

SHA1
9a8bc1f31f763626a4006f581ba992da1539a872

SHA256
5c5983fabfc94fc352ce039907847dbd67e3f41d3e1fb9a1ac8b09036965f945

SHA512
15a3ca62df7eb1af0a4ef5b7caaf8e9cf51e3d3450b585d9c4a23caaa0190db049b5b2197fa8b743d917cf128e533ae46dc897b6e17fd3786918cd043db7e585

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bab4def34df863fdb06ae560e5739d2f8c29051.exe

Filesize
885KB

MD5
dae423dcdf77c3ee1f88cf6ad17ab009

SHA1
4a7233065af4168332305dacc5ea6e20088c5be0

SHA256
8a23a12980d5668acce474ea6202521536e29e8a8271803e6294508621f4849a

SHA512
1d9750063ecb5601415212783887e49a0aa752d770ceac3b7f98d04835540bda1d6d6e821baf9a5d17ff2771cc7a386541c7d0923bd74684848d4bfd263d95b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\91441785-6a0e-4c42-bc5d-18f54c8b6f05.vbs

Filesize
493B

MD5
20201d63ce23d59248bd97afa49c6e35

SHA1
df9cfa758c6911553b7ae5dcb8c1c8e8190e7e7d

SHA256
066323e61b023698055d294d016f86845b3aa913143265638384bb59995abd89

SHA512
068cea81d292063b3ea6791417bc83c8a5f81801dab65e6b7dffa9c7d2aee3b1fac42342d50389622ed5b7b3c160c6724983f655bc3d23cd67b9c84b18b00283

Download Submit
C:\Users\Admin\AppData\Local\Temp\919014b4-e233-4015-9e58-be0010e38651.vbs

Filesize
716B

MD5
ae4bec0f19576a26e50ea90db031e639

SHA1
14e710141f64595bd09f6226a10a2cd08e906519

SHA256
a8e54583e665fe250ea63e3d279394ab2ee06a44133722e645b987581c5f29c0

SHA512
d2a1f1e24c3c4e7209bea3767d9cb2307fd4eb792346882c6eed1ddfa48c75600d968fafc67c48a5577d7968c55a1665cb3c1c45e249ebbc13e0143fd1015295

Download Submit
C:\Users\Admin\AppData\Local\Temp\91bddfd0-d2e8-4343-86a5-4e1275ff5786.vbs

Filesize
717B

MD5
dd3e967b6839055bbc6f49fa68f1c753

SHA1
f541438e942f3d1d7595f99968cb65e8549991de

SHA256
244958353d239acb554cf1c902d7ac18c34296914b43f63361d0048180a139aa

SHA512
e3456bece55d1de7946d351ee4670e34232f8e3d6bb137126d823e3c510bd989d88d04999844c6536dd8f2144652de7e57c14a9f6b4215a129a53b5cca613147

Download Submit
C:\Users\Admin\AppData\Local\Temp\9beacc35-5c6d-4839-81db-125aab7a72c2.vbs

Filesize
716B

MD5
336dc704f8539bd773a5ff6643aec4d0

SHA1
b35a97f502621b97794a8453dda12b566cfafa89

SHA256
085573f817c3b013abb9db3dbfc9c1447f97ec7b80db59c83953c3edacb577da

SHA512
c3ae68c80503d67402022e448c2c107a78c8bb4b31a8463f91fd768833d5f275e9c94122b56828c7d01b7333461fade7afd9450537c2346ffbe56b632f675971

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0cc01af-6c25-49b9-8aae-541fa303340a.vbs

Filesize
717B

MD5
69dd8047be36b0bc197f3a7538b7b13d

SHA1
342fcc2940519dfabf5f0b15c60b33ce51acf087

SHA256
edf7d85d9ee32d25b732bfc3d539be0d030f77b6a571a5cae3b6087fdc02967a

SHA512
40a5d4d34480d4da6c4bc93022056ab556ab05604f9b915f9c92fd39ccfdabcbcb04ae11e8e64420fe98538bedd23ba6d72f79b9d7503da069a3970b1ebf1ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d61a4ba8-26f8-41ac-a8a9-0d087e4fa873.vbs

Filesize
717B

MD5
24823505d8628b396ffd441d5c24ed98

SHA1
0244f94837bdcb65c5230d7ccbdcbd5d8a1f8f97

SHA256
ddd1209fbdc67c6aefe254e144bc45367d1bca7ea0ca6de78952344a6910fcc1

SHA512
33a645d2481f095e38421264c2ddc32c77e44999fab87c7e0a9054fd6e3c02012bf4a9127ecb5e570ecad87e9c93d5c466436c1ae84c8d748ca8ecf506bcedc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7f59127-0006-4506-9e69-f5e24aa4fe3c.vbs

Filesize
717B

MD5
803ed4fa2c20c7e2d9c9d920b22c21d7

SHA1
baf82054ac4a57ce01d67e004d79e4a262f08963

SHA256
91f3bf0dd52747198c43db20b4fccf5b2ce0d700d79bfed3c65ae8f7ad70eb54

SHA512
51ce29f0fe4fecd5ae55a4e25667b6afb0307f19aa970304d2f50c63d32393a950e346e92555c05c69810e8eb4d0fd6ea0e8ec395fe1c7147af70a0ce89f9ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed62b88c-605b-4043-a81e-52e05edd2c8e.vbs

Filesize
717B

MD5
e655377d40ee75cb50edf659aa430299

SHA1
79338882d699d6aa8d8877edc5477c481a1d0efc

SHA256
bd664d7ab3c04bbe183e2fd842bdc5e76d0626aac32d28b275e275ae9ea9358d

SHA512
a9ab6f82b662e764ba7a8bdefd8b29270336c9c672f7b1d05254863b1a43bf534a398879c85cb9b3c9f32badad8d62fca8cc2260157e2889c6dbf73ab5adfb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\vf1Vq2YPmL.bat

Filesize
206B

MD5
05f71b064f30efa6836e414a494349bd

SHA1
e84373b93dbb2cbc8adc8ff2344b2e666a2ead2b

SHA256
db20cb75b18b821cc799356886112c92fc6dbb433e99d6d942fd2454dc5f1f4d

SHA512
710b57f1d018338108878c9f4c5cd3cd139d900ea1c456d41a6f0425de1267fd5d6c85211c25af006912162d656abae3b948b443c739d0fd3615299459787e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2jap7Gn3A.bat

Filesize
235B

MD5
88f822ca652793d468497520186eeeb6

SHA1
a5f7c736ee728408b67907c3db66cb4f46e1e074

SHA256
8e2f7a919cc49f1590111b7fcd3111e9d350575c8513e76ae773fd366305d3a1

SHA512
0a5243c1980453c9f34a27307cea2b133445bd6bf3fe3d3c6514c32292a2913be0c594e8a322c07a9308fc569117dd182f20cedd1dce8a908cb82633f1de43d5

Download Submit
memory/1112-4-0x000000001BAB0000-0x000000001BB00000-memory.dmp

Filesize
320KB

Download
memory/1112-6-0x000000001BA70000-0x000000001BA86000-memory.dmp

Filesize
88KB

Download
memory/1112-8-0x000000001BAA0000-0x000000001BAAE000-memory.dmp

Filesize
56KB

Download
memory/1112-49-0x00007FFFEE2F0000-0x00007FFFEEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1112-7-0x000000001BA90000-0x000000001BA9A000-memory.dmp

Filesize
40KB

Download
memory/1112-9-0x000000001BB00000-0x000000001BB08000-memory.dmp

Filesize
32KB

Download
memory/1112-3-0x000000001BA40000-0x000000001BA5C000-memory.dmp

Filesize
112KB

Download
memory/1112-10-0x000000001BB10000-0x000000001BB1C000-memory.dmp

Filesize
48KB

Download
memory/1112-0-0x00007FFFEE2F3000-0x00007FFFEE2F5000-memory.dmp

Filesize
8KB

Download
memory/1112-5-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/1112-2-0x00007FFFEE2F0000-0x00007FFFEEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1112-1-0x0000000000E60000-0x0000000000F44000-memory.dmp

Filesize
912KB

Download